FreeRADIUS 3 and ldap

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

FreeRADIUS 3 and ldap

Victor C
This post was updated on .
The info graciously provided by Alan seem to not match my version... or I
need more hand holding. My installation is on ubuntu server 18.04 and I
installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
Following some other instructions I also installed freeradius-ldap.
My installation is here:
/etc/freeradius/3.0
so no radb folder, but that's not a big deal, as I assume on other OS the
install is in /etc/radb/

In my version the ldap module is enabled according to these instructions in
mods-available/README.rst:

"Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::

  $ cd raddb/mods-enabled
  $ ln -s ../mods-available/foo

Simplification
--------------

Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS.  This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.

Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server.  Then, enable the module via the soft-link
method described above.

Once the module is enabled, it will automatically be used in the
default configuration."

Which I did. According to this explanation, that's all I had to do to make
the FreeRADIUS use the ldap.
Now, to do the matching between the ldap attributes (group membership) and
the vlan communicated by the radius server to the switch... I found this in
the ldap file (in mods-available):
"
        #  Mapping of LDAP directory attributes to RADIUS dictionary
attributes.
        #

        #  WARNING: Although this format is almost identical to the unlang
        #  update section format, it does *NOT* mean that you can use other
        #  unlang constructs in module configuration files.
        #
        #  Configuration items are in the format:
        #       <radius attr> <op> <ldap attr>
        #
        #  Where:
        #       <radius attr>:  Is the destination RADIUS attribute
        #                       with any valid list and request qualifiers.
        #       <op>:           Is any assignment attribute (=, :=, +=, -=).
        #       <ldap attr>:    Is the attribute associated with user or
        #                       profile objects in the LDAP directory.
        #                       If the attribute name is wrapped in double
        #                       quotes it will be xlat expanded.
        #
        #  Request and list qualifiers may also be placed after the 'update'
        #  section name to set defaults destination requests/lists
        #  for unqualified RADIUS attributes.
        #
        #  Note: LDAP attribute names should be single quoted unless you
want
        #  the name value to be derived from an xlat expansion, or an
        #  attribute ref.
        update {
                control:Password-With-Header    += 'userPassword'
#               control:NT-Password             := 'ntPassword'
#               reply:Reply-Message             := 'radiusReplyMessage'
#               reply:Tunnel-Type               := 'radiusTunnelType'
#               reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
#               reply:Tunnel-Private-Group-ID   :=
'radiusTunnelPrivategroupId'

                #  Where only a list is specified as the RADIUS attribute,
                #  the value of the LDAP attribute is parsed as a valuepair
                #  in the same format as the 'valuepair_attribute' (above).
                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
"
Is this the right place? Which lines do I repeat for multiple group-->vlan
translation?
For example:
ldap group Staff = vlan 1
ldap group Student = vlan 2
etc.

Thank you!

Victor
PS:
Here is the -X output:
Ready to process requests
(0) Received Access-Request Id 185 from 10.0.30.1:52861 to 10.27.10.28:1812 length 170
(0)   User-Name = "0050b65b2682"
(0)   NAS-Port = 82
(0)   EAP-Message = 0x0200001101303035306236356232363832
(0)   Message-Authenticator = 0x3b1aa07890d64adafe35474fef46a541
(0)   Acct-Session-Id = "8O2.1x815e03dc0003a119"
(0)   NAS-Port-Id = "ge-0/0/0.0"
(0)   Calling-Station-Id = "00-00-00-00-26-82"
(0)   Called-Station-Id = "78-19-f7-00-01-ab"
(0)   NAS-IP-Address = 10.0.30.1
(0)   NAS-Identifier = "juniper-switch"
(0)   NAS-Port-Type = Ethernet
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "0050b65b2682", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 17
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x203e0b73203f0f22
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 185 from 10.27.10.28:1812 to 10.0.30.1:52861 length 0
(0)   EAP-Message = 0x0101001604109200ae71105df798bfd15fa223378ede
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x203e0b73203f0f22c243f4b6bf6fbc88
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 186 from 10.0.30.1:52861 to 10.27.10.28:1812 length 205
(1)   User-Name = "0050b65b2682"
(1)   NAS-Port = 82
(1)   State = 0x203e0b73203f0f22c243f4b6bf6fbc88
(1)   EAP-Message = 0x02010022041042054d78ae7353304824c730cd1f1b28303035306236356232363832
(1)   Message-Authenticator = 0x494e1041e4c7265a19d87238d3c9776e
(1)   Acct-Session-Id = "8O2.1x815e03dc0003a119"
(1)   NAS-Port-Id = "ge-0/0/0.0"
(1)   Calling-Station-Id = "00-00-00-00-26-82"
(1)   Called-Station-Id = "78-19-f7-00-01-ab"
(1)   NAS-IP-Address = 10.0.30.1
(1)   NAS-Identifier = "juniper-switch"
(1)   NAS-Port-Type = Ethernet
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "0050b65b2682", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 34
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: Performing search in "ou=macs, o=domain.tld, o=cp" with filter "uid=<user>", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://netldap1.domain.tld:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)     [ldap] = notfound
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x203e0b73203f0f22
(1) eap: Finished EAP session with state 0x203e0b73203f0f22
(1) eap: Previous EAP request found for state 0x203e0b73203f0f22, released from the list
(1) eap: Peer sent packet with method EAP MD5 (4)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
(1) eap: ERROR: Failed continuing EAP MD5 (4) session.  EAP sub-module failed
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> 0050b65b2682
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [0050b65b2682] (from client juniper-switch port 82 cli 00-00-00-00-26-82)
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 186 from 10.27.10.28:1812 to 10.0.30.1:52861 length 44
(1)   EAP-Message = 0x04010004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 185 with timestamp +16
(1) Cleaning up request packet ID 186 with timestamp +16
Ready to process requests

----------------

Fri, 16 Nov 2018 17:58:39 -0500
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: MAC auth with LDAP
Message-ID: <0EEDAAC5-C2DA-4ABC-B0D3-93D9A0C35483@deployingradius.com>
Content-Type: text/plain;       charset=us-ascii

On Nov 16, 2018, at 5:13 PM, Victor Cenac <victor@fuller.edu> wrote:
> I have a Juniper network where we assign devices to vlans based on their
> MAC. The MACS are stored in an LDAP with the MAC as username and password.
> The group membership is what distinguishes the vlan needed.

  That should be simple enough,

> I managed to configure the ldap and enable the ldap module. FreeRADIUS
> starts fine with it. I also added all the switches as clients.

  OK.

> I need help figuring out:
> 1. Where do I tell FreeRADIUS to look for users in ldap (vs the users
file)?

  raddb/sites-enabled/default

  Look for "ldap".   And, raddb/mods-available/ldap

  See also http://wiki.freeradius.org/.  Search for "ldap".  It has lots of
documentations.

> 2. Where do I match the group in ldap with the vlan number that needs to
be
> sent to the client (switch)? For example, for group Staff value is 10
(vlan
> 10).

  You don't map LDAP names directly to VLANs.  They might be "sales", and
you can't use "sales" as a VLAN number.

  Instead, do this:

        if (LDAP-Group == "staff") {
                update reply {
                        Tunnel Type = VLAN
                        Tunnel-Medium-Type := IEEE-802
                        Tunnel-Private-Group-Id := 10
                }
        }

  Alan DeKok.
Victor Cenac-Mehedinti
Senior Systems Administrator
Fuller Theological Seminary
626 396 6060
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS 3 and ldap

Alan DeKok-2
On Nov 26, 2018, at 2:38 PM, Victor Cenac <[hidden email]> wrote:
>
> The info graciously provided by Alan seem to not match my version... or I
> need more hand holding. My installation is on ubuntu server 18.04 and I
> installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
> Following some other instructions I also installed freeradius-ldap.
> My installation is here:
> /etc/freeradius/3.0
> so no radb folder, but that's not a big deal, as I assume on other OS the
> install is in /etc/radb/

 The default is /etc/raddb.  Different operating systems change our packaging, and put the files into different places.

  I don't know which version you have, so I just use *our* defaults, and hope that people can figure it out.

> In my version the ldap module is enabled according to these instructions in
> mods-available/README.rst:

 Please don't post documentation to the list.  We already know it.

> Which I did. According to this explanation, that's all I had to do to make
> the FreeRADIUS use the ldap.

 You also need to configure the LDAP module itself.  i.e. point to the correct LDAP server, admin account, etc.

> Now, to do the matching between the ldap attributes (group membership) and
> the vlan communicated by the radius server to the switch... I found this in
> the ldap file (in mods-available):

 Again, there's no need to post this to the list.  We're is already familiar with that file.

> Is this the right place? Which lines do I repeat for multiple group-->vlan
> translation?
> For example:
> ldap group Staff = vlan 1
> ldap group Student = vlan 2

 No.  What you do is READ MY PREVIOUS MESSAGE.  If you're not sure what it means, ASK.

 What I said was to do this:

      if (LDAP-Group == "staff") {
              update reply {
                      Tunnel Type = VLAN
                      Tunnel-Medium-Type := IEEE-802
                      Tunnel-Private-Group-Id := 10
              }
      }

 This configuration goes into a virtual server, along with all of the other "if" and "update" blocks.  As per the "man unlang" documentation, and as per the dozens of other examples.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS 3 and ldap

Alan Buxey
In reply to this post by Victor C
hi,


> My installation is here:
> /etc/freeradius/3.0
>

so, if in that dir you have mods-enabled sites-enabled etc directotries,
then thats your config path - so whereever you see /etc/raddb mentioned
(the default path)
just swap that with /etc/freeradius/3.0

then, if following Alans instructions, just put the stuff into post-auth
section of the default server in sites-enabled

 if (LDAP-Group == "staff") {
                update reply {
                        Tunnel Type = VLAN
                        Tunnel-Medium-Type := IEEE-802
                        Tunnel-Private-Group-Id := 10
                }
        }


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html